EulerOS 2.0 SP1 : nettle (EulerOS-SA-2016-1061)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote EulerOS host is missing multiple security updates.

Description :

According to the versions of the nettle packages installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :

- Nettle is a cryptographic library that is designed to
fit easily in more or less any context: In crypto
toolkits for object-oriented languages(C++, Python,
Pike, ...), in applications like LSH or GNUPG, or even
in kernel space.

- Secure Fix(es):

- The ecc_256_modp function in ecc-256.c in Nettle before
3.2 does not properly handle carry propagation and
produces incorrect output in its implementation of the
P-256 NIST elliptic curve, which allows attackers to
have unspecified impact via unknown vectors, a
different vulnerability than
CVE-2015-8805.(CVE-2015-8803)

- x86_64/ecc-384-modp.asm in Nettle before 3.2 does not
properly handle carry propagation and produces
incorrect output in its implementation of the P-384
NIST elliptic curve, which allows attackers to have
unspecified impact via unknown vectors.(CVE-2015-8804)

- The ecc_256_modq function in ecc-256.c in Nettle before
3.2 does not properly handle carry propagation and
produces incorrect output in its implementation of the
P-256 NIST elliptic curve, which allows attackers to
have unspecified impact via unknown vectors, a
different vulnerability than
CVE-2015-8803.(CVE-2015-8805)

- It was found that nettle's RSA and DSA decryption code
was vulnerable to cache-related side channel attacks.
An attacker could use this flaw to recover the private
key from a co-located virtual-machine
instance.(CVE-2016-6489)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

http://www.nessus.org/u?3dcf8a5b

Solution :

Update the affected nettle packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:POC/RL:OF/RC:ND)
Public Exploit Available : true

Family: Huawei Local Security Checks

Nessus Plugin ID: 99823 ()

Bugtraq ID:

CVE ID: CVE-2015-8803
CVE-2015-8804
CVE-2015-8805
CVE-2016-6489

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now